域间路由安全多维监测方法的研究
|
摘要
随着互联网商业化的深入,越来越多的网络应用在互联网上展开。作为互联网的基础支撑设施,域间路由系统的安全性和稳定性对维护网络应用正常开展具有重要影响,近年来已发生了多起与路由系统相关的重大互联网安全事件。为了维护路由系统的安全和稳定,学术界目前提出了一些改进措施,主要包括新协议的设计和设立监测机制。使用新设计的协议一方面需要更新现有路由系统,另一方面由于认证等措施的引入,需要消耗大量计算和带宽资源,因此工业界现在并没有采用这种方案。而监测的手段已经被一些公司采用,并在互联网上提供相应监测服务。然而已有的监测手段在方法和多样性上都显得不足,其监测结果主要表现为对路由信息的展示,而对于路由系统安全状态的感知则针对性不强。
本文从安全监测的角度,研究了影响路由系统安全性和稳定性的因素,针对目前路由安全机制在部署方面存在的困难和对路由安全状态感知方面的不足,提出了域间路由安全多维监测方法。多维监测方法在数据层、转发层和策略层等多个层面上对路由表项、路由更新报文和路由系统流量从多个维度进行异常信息的挖掘,各个检测维度的结果一方面可以互为补充,提供更全面的路由安全状态评估,另一方面有利于检测结果的验证,提供更精确的异常细节信息。基于本文的方法对路由信息进行监测,准确地发现了多起安全事件,且可以从多个维度了解异常的详细信息。本文提出的监测方法以多维检测技术为核心,包括如下几个方面:
首先,路由表决定了路由系统对网络流量的转发行为,因此本文设计了基于路由表的安全检测技术。根据产生机理,本文将路由异常分为形式性异常和语义性异常,并分别设计了单视图和多视图检测机制,检测机制是可扩充的,便于加入新的检测规则。相关实验表明,基于路由表的检测可以发现多种异常,并且多视图检测机制对于路由冲突的检测具有预见性,可以在引起冲突的信息还未传播到本地时就予以发现。基于路由表的检测可以全面的发现一段时期内路由信息中存在的异常,在多维检测技术中占有基础性地位,可以对使用其他方法发现的异常进行验证。
其次,由于基于路由表的检测技术是一种静态检测机制,本文根据域间路由安全检测对实时性的需求,提出了基于路由报文的实时检测技术。通过对异常判别规则进行精简,实现了对路由报文的快速检测,同时通过采用缓冲机制,对多项报文联合检测,有效地发现了MOAS冲突异常现象。基于路由报文的检测作为实时的检测手段,可以发现大部分异常信息,为及时修复网络异常状态提供支持。
最后,针对基于路由信息内容检测在数据获取和检测效率方面的问题,本文提出了基于路由流量的检测技术。对路由流量的Hurst指数的统计和计算表明其具有自相似特性,进而引进小波分析方法进行检测,并通过流量矩阵对多点异常进行聚合,从而发现异常传播范围以及异常之间的相关性,最后,通过对特定前缀流量的监测,成功发现并定位了潜在的前缀劫持异常。使用基于路由流量的检测技术作为首选方法,可以为进一步检测异常缩小验证空间,提高检测效率。
基于上述关键技术,本文设计并实现了一个完整的域间路由安全多维监测系统。系统综合多维检测手段对各种类型路由信息进行检测,能够获得具有很高准确性的丰富的异常检测结果,实现了对域间路由系统从数据层、转发层到策略层的立体式监测。此外,根据域间路由系统的组织结构以及安全监测系统的需求,本文设计了多源的路由信息采集机制。通过设立多个采集点,动态地从相关服务器获取路由数据,拓展了监测系统的路由视图;通过从多处公共数据服务处获取路由知识,建立了多粒度的路由知识库,提高了异常检测的准确性。监测系统的部分实现已经部署在国内主要的运营网络,对路由系统行为和运行状态实时分析并进行可视化展示。
With the commercialization of the Internet, more applications have been deployed on the Internet. The inter-domain routing system is the key infrastructure of the Internet, and imposes a determinant impact on traffic forwarding. Since the inter-domain routing system is vulnerable due to its lack of security mechanism, several new routing protocols have been designed. However, due to the difficulties of deployment and costs of running, these protocols are not adopted by industrial community. Although, some companies offer monitoring services for the public, these services only focus on routing information display and do not aim at the security aspect. Based on in-depth research on the security and stability of the inter-domain routing system, we propose a multi-dimensional detection framework to discover potential anomalies both in routing items and traffic with data-plane, control-plane and policy-plane. Experiments on routing information archives show that by mutual complement and validation in multiple dimensions, our security-directed and measure-enriched approach is able to detect routing anomalies quite accurately and completely. The key detection techniques in our approach are described as follows:
As routing table is the basis in traffic routing, we propose a table-based security detection mechanism. We classify various anomalies into two categories: format anomalies and semantic anomalies, and design single-view and multi-view detection models based-on this classification. The table-based detection mechanism is extendable, in which new detection models can be imported. This mechanism acts as a foundation detection measure and can be used to verify results detected by other means. Experiments show that this mechanism performs well in in-depth anomaly detection.
To meet the real-time requirement in anomaly awareness, we propose a packet-based anomaly detection mechanism for inter-domain routing, which includes two techniques: the real-time anomaly detection model based on simplified validness detection rules and the model for detecting MOAS which uses a packet buffer to cache multi UPDATE packets for combined detecting. This mechanism can be used as a real-time measure for anomaly detection and give support to fixing network failure in time. We display its validity by showing the detection result related to YouTube.
Aiming at the difficulty in data acquisition and the cost of computation resource in routing item-based detection, we also propose a novel approach for detecting BGP anomalies, the traffic-based detection mechanism. The Hurst exponent, which turns out to be in middle of 0.5 and 1, shows that BGP UPDATE traffic coincides with the pattern of self-similarity, which motivates us to choose discreet wavelet transforms in analyzing the traffic. By applying the wavelet analysis on BGP UPDATE traffic, we observe traffic anomalies. Moreover, we cluster these anomalies to assess the anomaly propagation scope. Finally, we monitor traffics for specified networks to detect prefix-hijacking, and the experiments show that our approach is effective in reducing the scale for prefix-hijacking detection.
At last, we design and implement a multi-dimensional monitoring system based on the above techniques. This system includes four models in horizon: routing knowledge database, table-based detection model, packet-based detection model and traffic-based detection model. Vertically, this system is comprised of four layers: network monitoring layer, data-acquisition layer, core detection layer and service layer. As the complement of the system, we designed a multi-source routing information obtainment mechanism, which can effectively and steadily collect routing data and routing knowledge from various information sources to supply the running of monitoring system.
本文从安全监测的角度,研究了影响路由系统安全性和稳定性的因素,针对目前路由安全机制在部署方面存在的困难和对路由安全状态感知方面的不足,提出了域间路由安全多维监测方法。多维监测方法在数据层、转发层和策略层等多个层面上对路由表项、路由更新报文和路由系统流量从多个维度进行异常信息的挖掘,各个检测维度的结果一方面可以互为补充,提供更全面的路由安全状态评估,另一方面有利于检测结果的验证,提供更精确的异常细节信息。基于本文的方法对路由信息进行监测,准确地发现了多起安全事件,且可以从多个维度了解异常的详细信息。本文提出的监测方法以多维检测技术为核心,包括如下几个方面:
首先,路由表决定了路由系统对网络流量的转发行为,因此本文设计了基于路由表的安全检测技术。根据产生机理,本文将路由异常分为形式性异常和语义性异常,并分别设计了单视图和多视图检测机制,检测机制是可扩充的,便于加入新的检测规则。相关实验表明,基于路由表的检测可以发现多种异常,并且多视图检测机制对于路由冲突的检测具有预见性,可以在引起冲突的信息还未传播到本地时就予以发现。基于路由表的检测可以全面的发现一段时期内路由信息中存在的异常,在多维检测技术中占有基础性地位,可以对使用其他方法发现的异常进行验证。
其次,由于基于路由表的检测技术是一种静态检测机制,本文根据域间路由安全检测对实时性的需求,提出了基于路由报文的实时检测技术。通过对异常判别规则进行精简,实现了对路由报文的快速检测,同时通过采用缓冲机制,对多项报文联合检测,有效地发现了MOAS冲突异常现象。基于路由报文的检测作为实时的检测手段,可以发现大部分异常信息,为及时修复网络异常状态提供支持。
最后,针对基于路由信息内容检测在数据获取和检测效率方面的问题,本文提出了基于路由流量的检测技术。对路由流量的Hurst指数的统计和计算表明其具有自相似特性,进而引进小波分析方法进行检测,并通过流量矩阵对多点异常进行聚合,从而发现异常传播范围以及异常之间的相关性,最后,通过对特定前缀流量的监测,成功发现并定位了潜在的前缀劫持异常。使用基于路由流量的检测技术作为首选方法,可以为进一步检测异常缩小验证空间,提高检测效率。
基于上述关键技术,本文设计并实现了一个完整的域间路由安全多维监测系统。系统综合多维检测手段对各种类型路由信息进行检测,能够获得具有很高准确性的丰富的异常检测结果,实现了对域间路由系统从数据层、转发层到策略层的立体式监测。此外,根据域间路由系统的组织结构以及安全监测系统的需求,本文设计了多源的路由信息采集机制。通过设立多个采集点,动态地从相关服务器获取路由数据,拓展了监测系统的路由视图;通过从多处公共数据服务处获取路由知识,建立了多粒度的路由知识库,提高了异常检测的准确性。监测系统的部分实现已经部署在国内主要的运营网络,对路由系统行为和运行状态实时分析并进行可视化展示。
With the commercialization of the Internet, more applications have been deployed on the Internet. The inter-domain routing system is the key infrastructure of the Internet, and imposes a determinant impact on traffic forwarding. Since the inter-domain routing system is vulnerable due to its lack of security mechanism, several new routing protocols have been designed. However, due to the difficulties of deployment and costs of running, these protocols are not adopted by industrial community. Although, some companies offer monitoring services for the public, these services only focus on routing information display and do not aim at the security aspect. Based on in-depth research on the security and stability of the inter-domain routing system, we propose a multi-dimensional detection framework to discover potential anomalies both in routing items and traffic with data-plane, control-plane and policy-plane. Experiments on routing information archives show that by mutual complement and validation in multiple dimensions, our security-directed and measure-enriched approach is able to detect routing anomalies quite accurately and completely. The key detection techniques in our approach are described as follows:
As routing table is the basis in traffic routing, we propose a table-based security detection mechanism. We classify various anomalies into two categories: format anomalies and semantic anomalies, and design single-view and multi-view detection models based-on this classification. The table-based detection mechanism is extendable, in which new detection models can be imported. This mechanism acts as a foundation detection measure and can be used to verify results detected by other means. Experiments show that this mechanism performs well in in-depth anomaly detection.
To meet the real-time requirement in anomaly awareness, we propose a packet-based anomaly detection mechanism for inter-domain routing, which includes two techniques: the real-time anomaly detection model based on simplified validness detection rules and the model for detecting MOAS which uses a packet buffer to cache multi UPDATE packets for combined detecting. This mechanism can be used as a real-time measure for anomaly detection and give support to fixing network failure in time. We display its validity by showing the detection result related to YouTube.
Aiming at the difficulty in data acquisition and the cost of computation resource in routing item-based detection, we also propose a novel approach for detecting BGP anomalies, the traffic-based detection mechanism. The Hurst exponent, which turns out to be in middle of 0.5 and 1, shows that BGP UPDATE traffic coincides with the pattern of self-similarity, which motivates us to choose discreet wavelet transforms in analyzing the traffic. By applying the wavelet analysis on BGP UPDATE traffic, we observe traffic anomalies. Moreover, we cluster these anomalies to assess the anomaly propagation scope. Finally, we monitor traffics for specified networks to detect prefix-hijacking, and the experiments show that our approach is effective in reducing the scale for prefix-hijacking detection.
At last, we design and implement a multi-dimensional monitoring system based on the above techniques. This system includes four models in horizon: routing knowledge database, table-based detection model, packet-based detection model and traffic-based detection model. Vertically, this system is comprised of four layers: network monitoring layer, data-acquisition layer, core detection layer and service layer. As the complement of the system, we designed a multi-source routing information obtainment mechanism, which can effectively and steadily collect routing data and routing knowledge from various information sources to supply the running of monitoring system.
引文
[1] DARPA. http://www.darpa.mil.
[2] Q. Vohra, E. Chen. RFC 4893: BGP Support for Four-octet AS Number Space. Internet Engineering Task Force (IETF). May, 2007.
[3] Rekhter Y., Li T., Hares S.. RFC 4271: a Border Gateway Protocol 4 (BGP-4). Internet Engineering Task Force (IETF). January, 2006.
[4] Mills D.. RFC 904: External Gateway Protocol formal specification. Internet Engineering Task Force (IETF). http://www.ietf.org/rfc/rfc904.txt. 1984.
[5] Inter-Domain Routing (IDR) Working Group. Internet Engineering Task Force (IETF). http://www.ietf.org/html.charters/idr-charter.html.
[6] Misel S.. Wow, AS7007. Merit NANOG Archive. http://www. merit. edu/mail. archives/nanog/1997-04/msg00340. html, 1997.
[7] Bono V. J.. 7007 explanation and apology. NANOG mailing list, msg00444. http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html, 1997.
[8] Cowie J., Ogielski A., Premore B., et al. Global routing instabilities during Code Red II and Nimda worm propagation. http://www.renesys.com /projects/bgp_instability, 2001.
[9] Wilhelm R.. TTM and SQL Slammer, Impact of the Worm Attack. RIPE 44 Meeting, 2003.
[10] Brown M. A.. Pakistan hijacks YouTube. Renesys Blog. http://www.renesys.com/blog/2008/02/pakistan-hijacks-youtube-1.shtml, 2008.
[11] Kroenung B.. AS8584 Taking Over the Internet. NANOG mailing list, msg00047. http://www.cctec.com/maillists/nanog/historical/9804/msg00047.html, 1998.
[12] Rishaw Jamie. Man Filters. http://www.merit.edu/mail.archives/nanog/2000-12/msg00110.html, 2000.
[13] Farrar J.. C&W Routing Instability. NANOG mail archives. http://www.merit.edu/mail.archives/nanog/2001-04/msg00209.html, 2001.
[14] Popescu A. C., Premore B. J., Underwood T.. Anatomy of a leak: As9121. Renesys Corp., http://www. renesys. com/tech/presentations/pdf/renesys-nanog34. pdf.
[15] Wan T., Oorschot P. C.. Analysis of BGP prefix origins during Google’s May 2005 outage. Proc. of Security in Systems and Networks, 2006.
[16] Linsalata D.. 12/8 problems?, http://www.merit.edu/mail.archives/nanog/2005-09/msg00295.html, 2005.
[17] AS8437 announced a quarter of the net for half of an hour. http://www.merit.edu/mail.archives/nanog/msg01700.html, 2006.
[18] Halabi S.. Internet Routing Architectures. Cisco Press, second edition, 2001.
[19] Greene B., Smith P.. BGPv4 Security Risk Assessment. http://www.cisco.com/public/cons/isp/essentials/, 2002.
[20] Bush R., Griffin T., Mao Z. M.. Route flap damping: harmful?, NANOG, 2002.
[21] Mayer D.. University of Oregon Route Views project, http://www.routeviews.org/, 2003.
[22] Murphy S.. RFC 4272: BGP Security Vulnerabilities Analysis. Internet Engineering Task Force (IETF). 2006.
[23] Butler K., Farley F., Mcdaniel P., et al. A Survey of BGP Security. http://www.patrickmcdaniel.org/pubs/td-5ugj33.pdf, 2005.
[24] Convery S., Cook D., Franz M.. An Attack Tree for the Border Gateway Protocol. draft-convery-bgpattack-01, 2001.
[25] Zhao X., Pei D., Wang L., et al. An Analysis of BGP Multiple Origin AS (MOAS) conflicts. Proc. ACM SIGCOMM Workshop on Internet Measurement, 2001:31~35.
[26] Routing Protocols Security Working Group. Internet Engineering Task Force (IETF). http://www.rpsec.org/.
[27] Gill V., Heasley J., Meyer D., et al. RFC 3682: The Generalized TTL Security Mechanism (GTSM). Internet Engineering Task Force (IETF). 2004.
[28] Heffernan A.. RFC 2385: Protection of BGP sessions via the TCP MD5 signature option. Internet Engineering Task Force (IETF). 1998.
[29] Oorschot P. C., Wan T., Kranakis E.. On Interdomain Routing Security and Pretty Secure bgp (psbgp). ACM Transactions on Information and System Security (TISSEC), 2007,10(3):11.
[30] Kent S., Lynn C., Seo K.. Design and Analysis of the Secure Border Gateway Protocol (S-BGP). Proc. of DISCEX’00, 2000.
[31] White R.. Securing BGP through Secure Origin BGP (soBGP). Business Communications Review, 2003,33(5):47~53.
[32] JUNOS Strict ISP Prefix Filter Template, http://www.qorbit.net/documents/junos-bgp-template.pdf, 2001.
[33] RIPE RIS Project. http://data.ris.ripe.net/.
[34] Telstra CIDR Report. http://bgp.potaroo.net/as1221/bgp-active.html.
[35] Cymru T. The team Cymru BOGON Route Server project. http://www.cymru.com/Documents/bogon-list.html.
[36] Colitti L., Battista G., Mariani F., et al. Visualizing Interdomain Routing with BGPlay. Journal of Graph Algorithms and Applications, 2005,9(1):117~148.
[37] Lad M., Massey D., Zhang L.. Link-rank: A Graphical Tool for Capturing BGP Routing Dynamics. Proc. of IEEE/IPIF NOMS, 2004.
[38] Ripe NCC. MyASN service. http://www.ris.ripe.net/myasn.html.
[39] Lad M., Massey D., Pei D., et al. PHAS: A Prefix Hijack Alert System. Proc. USENIX Security Symp, 2006:153~166.
[40] RENESYS Corp. Real Time Monitoring of Global Internet Routing. http://www.renesys.com/services.html.
[41] Goodell G., Aiello W., Griffin T., et al. Working around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing. Proc. NDSS, 2003.3:75~85.
[42] CNNIC.第23次中国互联网络发展状况统计报告, 2009.1.
[43] Aslatlong. http://netgeo.caida.org/aslatlong.txt.
[44] Country_rirdata-all. http://www.completewhois.com/bogons/data/data-ipsbycountry/rirstats/country_rirdata-all.txt.
[45] Greene B. R., Mith P.. BGP Risk Assessment. http://www.nanog.org/mtg-0206/ppt/BGP-Risk-Assesment .v.5.pdf.
[46] Nordstr M. O., Dovrolis C.. Beware of BGP Attacks. ACM SIGCOMM Computer Communication Review, 2004,34(2):1~8.
[47]李林峰,裘正定.自相似网络流量Hurst指数的迭代估计算法.电子与信息学报,2006,28(012):2371~2373.
[48] Leland W., Taqqu M., Willinger W., et al. On the Self-similar Nature of Ethernet Traffic. ACM/IEEE Transactions on Networking (TON), 1994,2(1):1~15.
[49] Beran J., Sherman R., Taqqu M. S., et al. Long-range Dependence in Variable-bit-rate Video Traffic. IEEE Transactions on Communications, 1995,43(234):1566~1579.
[50] Paxson V., Floyd S.. Wide Area Traffic: the Failure of Poisson Modeling. ACM/IEEE Transactions on Networking (TON), 1995,3(3):244.
[51] Crovella M. E., Bestavros A.. Self-similarity in World Wide Web Traffic: Evidence and Possible Causes. ACM/IEEE Transactions on Networking (TON), 1997,5(6):835~846.
[52] Hurst H. E.. Long-term Storage Capacity of Reservoirs. Transactions of the American Society of Civil Engineers, 1951,76(11):770~799.
[53] Mandelbrot B.. The Pareto-Levy Law and the Distribution of Income. International Economic Review, 1960:79~106.
[54] Beran J.. Statistics for Long-memory Processes. Chapman & Hall/CRC, 1994.
[55] Abry P., Veitch D.. Wavelet Analysis of Long-range-dependent Traffic. IEEE Transactions on Information Theory, 1998,44(1):2~15.
[56] Moody J., Wu L.. Improved Estimates for the Rescaled Range and Hurst Exponents. Neural Networks, 1996.
[57] Wikipedia. http://zh.wikipedia.org/wiki/.
[58] Percival D. B., Andrew T. Walden著,程正兴译,时间序列分析的小波分析法.机械工业出版社,2006.
[59] Alarcon-Aquino V., Barria J. A.. Anomaly Detection in Communication Networks Using Wavelets. IEE Proceedings-Communications, 2001,148(6):355~362.
[60] Barford P., Kline J., Plonka D., et al. A Signal Analysis of Network Traffic Anomalies. Proc. ACM SIGCOMM Workshop on Internet Measurement, 2002.
[61] Y. Xie, H. A. Kim, D. R. O’Hallaron, M. K. Reiter, and H. Zhang. Seurat: A Pointillist Approach to Anomaly Detection. Proc. 7th International Symposium on Recent Advances in Intrusion Detection, 2007.
[62] Quagga. http://www.guagga.net.
[63] L. Gao. On Inferring Autonomous System Relationships in the Internet. ACM/IEEE Transactions on Networking (TON), 2001,9(6):733~745.
[2] Q. Vohra, E. Chen. RFC 4893: BGP Support for Four-octet AS Number Space. Internet Engineering Task Force (IETF). May, 2007.
[3] Rekhter Y., Li T., Hares S.. RFC 4271: a Border Gateway Protocol 4 (BGP-4). Internet Engineering Task Force (IETF). January, 2006.
[4] Mills D.. RFC 904: External Gateway Protocol formal specification. Internet Engineering Task Force (IETF). http://www.ietf.org/rfc/rfc904.txt. 1984.
[5] Inter-Domain Routing (IDR) Working Group. Internet Engineering Task Force (IETF). http://www.ietf.org/html.charters/idr-charter.html.
[6] Misel S.. Wow, AS7007. Merit NANOG Archive. http://www. merit. edu/mail. archives/nanog/1997-04/msg00340. html, 1997.
[7] Bono V. J.. 7007 explanation and apology. NANOG mailing list, msg00444. http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html, 1997.
[8] Cowie J., Ogielski A., Premore B., et al. Global routing instabilities during Code Red II and Nimda worm propagation. http://www.renesys.com /projects/bgp_instability, 2001.
[9] Wilhelm R.. TTM and SQL Slammer, Impact of the Worm Attack. RIPE 44 Meeting, 2003.
[10] Brown M. A.. Pakistan hijacks YouTube. Renesys Blog. http://www.renesys.com/blog/2008/02/pakistan-hijacks-youtube-1.shtml, 2008.
[11] Kroenung B.. AS8584 Taking Over the Internet. NANOG mailing list, msg00047. http://www.cctec.com/maillists/nanog/historical/9804/msg00047.html, 1998.
[12] Rishaw Jamie. Man Filters. http://www.merit.edu/mail.archives/nanog/2000-12/msg00110.html, 2000.
[13] Farrar J.. C&W Routing Instability. NANOG mail archives. http://www.merit.edu/mail.archives/nanog/2001-04/msg00209.html, 2001.
[14] Popescu A. C., Premore B. J., Underwood T.. Anatomy of a leak: As9121. Renesys Corp., http://www. renesys. com/tech/presentations/pdf/renesys-nanog34. pdf.
[15] Wan T., Oorschot P. C.. Analysis of BGP prefix origins during Google’s May 2005 outage. Proc. of Security in Systems and Networks, 2006.
[16] Linsalata D.. 12/8 problems?, http://www.merit.edu/mail.archives/nanog/2005-09/msg00295.html, 2005.
[17] AS8437 announced a quarter of the net for half of an hour. http://www.merit.edu/mail.archives/nanog/msg01700.html, 2006.
[18] Halabi S.. Internet Routing Architectures. Cisco Press, second edition, 2001.
[19] Greene B., Smith P.. BGPv4 Security Risk Assessment. http://www.cisco.com/public/cons/isp/essentials/, 2002.
[20] Bush R., Griffin T., Mao Z. M.. Route flap damping: harmful?, NANOG, 2002.
[21] Mayer D.. University of Oregon Route Views project, http://www.routeviews.org/, 2003.
[22] Murphy S.. RFC 4272: BGP Security Vulnerabilities Analysis. Internet Engineering Task Force (IETF). 2006.
[23] Butler K., Farley F., Mcdaniel P., et al. A Survey of BGP Security. http://www.patrickmcdaniel.org/pubs/td-5ugj33.pdf, 2005.
[24] Convery S., Cook D., Franz M.. An Attack Tree for the Border Gateway Protocol. draft-convery-bgpattack-01, 2001.
[25] Zhao X., Pei D., Wang L., et al. An Analysis of BGP Multiple Origin AS (MOAS) conflicts. Proc. ACM SIGCOMM Workshop on Internet Measurement, 2001:31~35.
[26] Routing Protocols Security Working Group. Internet Engineering Task Force (IETF). http://www.rpsec.org/.
[27] Gill V., Heasley J., Meyer D., et al. RFC 3682: The Generalized TTL Security Mechanism (GTSM). Internet Engineering Task Force (IETF). 2004.
[28] Heffernan A.. RFC 2385: Protection of BGP sessions via the TCP MD5 signature option. Internet Engineering Task Force (IETF). 1998.
[29] Oorschot P. C., Wan T., Kranakis E.. On Interdomain Routing Security and Pretty Secure bgp (psbgp). ACM Transactions on Information and System Security (TISSEC), 2007,10(3):11.
[30] Kent S., Lynn C., Seo K.. Design and Analysis of the Secure Border Gateway Protocol (S-BGP). Proc. of DISCEX’00, 2000.
[31] White R.. Securing BGP through Secure Origin BGP (soBGP). Business Communications Review, 2003,33(5):47~53.
[32] JUNOS Strict ISP Prefix Filter Template, http://www.qorbit.net/documents/junos-bgp-template.pdf, 2001.
[33] RIPE RIS Project. http://data.ris.ripe.net/.
[34] Telstra CIDR Report. http://bgp.potaroo.net/as1221/bgp-active.html.
[35] Cymru T. The team Cymru BOGON Route Server project. http://www.cymru.com/Documents/bogon-list.html.
[36] Colitti L., Battista G., Mariani F., et al. Visualizing Interdomain Routing with BGPlay. Journal of Graph Algorithms and Applications, 2005,9(1):117~148.
[37] Lad M., Massey D., Zhang L.. Link-rank: A Graphical Tool for Capturing BGP Routing Dynamics. Proc. of IEEE/IPIF NOMS, 2004.
[38] Ripe NCC. MyASN service. http://www.ris.ripe.net/myasn.html.
[39] Lad M., Massey D., Pei D., et al. PHAS: A Prefix Hijack Alert System. Proc. USENIX Security Symp, 2006:153~166.
[40] RENESYS Corp. Real Time Monitoring of Global Internet Routing. http://www.renesys.com/services.html.
[41] Goodell G., Aiello W., Griffin T., et al. Working around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing. Proc. NDSS, 2003.3:75~85.
[42] CNNIC.第23次中国互联网络发展状况统计报告, 2009.1.
[43] Aslatlong. http://netgeo.caida.org/aslatlong.txt.
[44] Country_rirdata-all. http://www.completewhois.com/bogons/data/data-ipsbycountry/rirstats/country_rirdata-all.txt.
[45] Greene B. R., Mith P.. BGP Risk Assessment. http://www.nanog.org/mtg-0206/ppt/BGP-Risk-Assesment .v.5.pdf.
[46] Nordstr M. O., Dovrolis C.. Beware of BGP Attacks. ACM SIGCOMM Computer Communication Review, 2004,34(2):1~8.
[47]李林峰,裘正定.自相似网络流量Hurst指数的迭代估计算法.电子与信息学报,2006,28(012):2371~2373.
[48] Leland W., Taqqu M., Willinger W., et al. On the Self-similar Nature of Ethernet Traffic. ACM/IEEE Transactions on Networking (TON), 1994,2(1):1~15.
[49] Beran J., Sherman R., Taqqu M. S., et al. Long-range Dependence in Variable-bit-rate Video Traffic. IEEE Transactions on Communications, 1995,43(234):1566~1579.
[50] Paxson V., Floyd S.. Wide Area Traffic: the Failure of Poisson Modeling. ACM/IEEE Transactions on Networking (TON), 1995,3(3):244.
[51] Crovella M. E., Bestavros A.. Self-similarity in World Wide Web Traffic: Evidence and Possible Causes. ACM/IEEE Transactions on Networking (TON), 1997,5(6):835~846.
[52] Hurst H. E.. Long-term Storage Capacity of Reservoirs. Transactions of the American Society of Civil Engineers, 1951,76(11):770~799.
[53] Mandelbrot B.. The Pareto-Levy Law and the Distribution of Income. International Economic Review, 1960:79~106.
[54] Beran J.. Statistics for Long-memory Processes. Chapman & Hall/CRC, 1994.
[55] Abry P., Veitch D.. Wavelet Analysis of Long-range-dependent Traffic. IEEE Transactions on Information Theory, 1998,44(1):2~15.
[56] Moody J., Wu L.. Improved Estimates for the Rescaled Range and Hurst Exponents. Neural Networks, 1996.
[57] Wikipedia. http://zh.wikipedia.org/wiki/.
[58] Percival D. B., Andrew T. Walden著,程正兴译,时间序列分析的小波分析法.机械工业出版社,2006.
[59] Alarcon-Aquino V., Barria J. A.. Anomaly Detection in Communication Networks Using Wavelets. IEE Proceedings-Communications, 2001,148(6):355~362.
[60] Barford P., Kline J., Plonka D., et al. A Signal Analysis of Network Traffic Anomalies. Proc. ACM SIGCOMM Workshop on Internet Measurement, 2002.
[61] Y. Xie, H. A. Kim, D. R. O’Hallaron, M. K. Reiter, and H. Zhang. Seurat: A Pointillist Approach to Anomaly Detection. Proc. 7th International Symposium on Recent Advances in Intrusion Detection, 2007.
[62] Quagga. http://www.guagga.net.
[63] L. Gao. On Inferring Autonomous System Relationships in the Internet. ACM/IEEE Transactions on Networking (TON), 2001,9(6):733~745.